tags:

views:

199

answers:

4
+4  Q: 

ASP.NET website attack: How to respond?

This is the first time I have been faced with someone trying to penetrate a website I have created. What can I do to put a stop to the attempts?

As a side note, their sql injection stands no chance of ever working and there isn't any data that we have that isn't already available by anyone using this site normally.

Appended:

I think the code part is covered for most XSS and sql injection but I am definitely considering a security audit. I was just curious about the response. Am I really only limited to blocking ip addresses?

+1  A: 

Is it many sources or just a few IP's? We've had a few IP's do shadowy things and have used IIS to block them specifically. If it's a coordinated attack from multiple sources this won't help.

n8wrl  2009-06-17 13:57:25
+2  A: 

Unless this is your first public website, all of the websites you have worked on were under attack roughly 3 minutes in to being accessible whether you knew it or not.

A couple things you can start doing are:

  1. Start blocking the IPs that attacks are coming from. This isn't always feasible as IP addresses frequently change and some types of attacks can work with a spoofed address.

  2. Put an intrusion detection system (IDS) in place and start monitoring everything.

  3. Verify your firewalls are working correctly and monitor the attack vectors. Make sure everything they are going after is pretty well secured.

Chris Lively  2009-06-17 13:58:23
There are large groups of people who constantly port scan IP addresses. If your machine responds on a port (like 80, for instance) then your address will be logged for automated attacks. This is fact, look it up. As a side note, I think the average time for an unpatched / unsecured server to be cracked, counting from the moment it is plugged into the internet, is about 2 minutes.
Chris Lively  2009-06-17 14:04:25
Correction, in 2004 it was clocked at 4 minutes. http://dic.academic.ru/dic.nsf/enwiki/11416. This is why Vista and Windows Server 2008 both perform initial boots with networking disabled; to give you time to patch them before the flood comes.
Chris Lively  2009-06-17 14:07:55
Blocking individual IPs is unlikely to be of much use given the modern zombie approach, but it might give you an 80/20 occasionally.
annakata  2009-06-17 14:12:32
@annakata: I completely agree. If IP blocking is used it should be time limited to something like 48 hours or so.
Chris Lively  2009-06-17 14:50:28
+4  A: 

If you already are protected against SQL injections, you've got a major attack covered. The next biggest threat (in my opinion) would be Cross-Site Scripting (XSS) since it would allow an attacker to have another user do something malicious, making it hard to track that activity.

You should also be aware of Cross-Site Request Forgeries (CSRF), since that is one that many people seem to miss a lot of times.

I would take a look at OWASP's Top 10 Web Security Vulnerabilities and make sure you protect against all 10 them as best as possible. Any one of them could seriously open yourself up to attackers if you aren't careful.

Dan Herbert  2009-06-17 13:59:19
+1  A: 

This answer comes from another one that I answered about IIS getting hacked:

Hopefully you've had your IIS logfiles turned on and hopefully the hacker didn't erase them. By default they're located here: c:\winnt\system32\LogFiles\W3SVC1 and will generally be named after the date.

Then it's probably helpful to figure out how to use log parser (from Microsoft), which is free. Then use this guide to help you with looking forensically at your logfiles. Do you have a firewall because it's syslogs might be helpful.

Another decent tool to help you find sql injection issues is to go here and download HP's Scrawlr.

If you have any more questions about what you've found, come back and ask.

GregD  2009-06-17 14:06:55

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps